Announcement Announcement Module
No announcement yet.
ACL Problem Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • ACL Problem


    I'd like to have some advice on how to best solve the following kind of ACL problem with Acegi:

    By default, a user should only have READ/WRITE rights to a domain object if the user and domain object share a common attribute, for example "Location". If they do not have a common attribute value, user should not have any rights to the domain object.

    The user should however be able to explicitly grant rights to a certain domain object to another user or group of users that have some other (known) value of the "Location" attribute.

    Does this explanation make any sense...? I think what I'd like to have is that a single ACL and AclObjectIdentity would concern a group of domain objects based on attribute instead of just one? Could this be done with the standard BasicAcl stuff or do I need some additional customization? Or what would be the recommended way to solve the problem (I don't have very good understanding of Acegi's ACL functionality yet and may have misunderstood something...)?

  • #2
    Is the "Location" property a "natural hierarchy", such as a hierarchy of geographical locations where offices are, and people belong to each office, and you'd like to assign ACL permissions at any of these different "containers" of geographical locations (think LDAP directories)? If so, the stock-standard ACL services will suffice and you will reflect the hierarchy using the standard acl_object_identity table.

    If, on the other hand, you have a domain object that contains a location property and you want to give permissions based on the property value, your simplest option would be to write a custom AccessDecisionVoter or AfterInvocationProvider that opened the passed or returned object respective and evaluated the contents of the property. Where this gets complicated is the default ACL services don't work based on property value, but you could conceivably create a Location object that does have ACLs assigned in the normal ACL services hierarchy for say "London" versus "Sydney". Your custom AfterInvocationProvider and/or AccessDecisionVoter would need to create or retrieve the effective ACLs from the AclManager based on the location property.